Skip to main content
close search
site logo
Dive Brief

CISA says hack targeting Treasury Department did not impact other federal agencies

BeyondTrust says an investigation of a December attack spree is nearing completion and SaaS instances are fully patched. Hackers used a stolen key to attack Treasury workstations.

Published Jan. 7, 2025
David Jones's headshot
Reporter
CISA, cybersecurity, agency
CISA is working with Treasury Department officials and BeyondTrust to investigate the full impact of a state-linked hack. Photo illustration by Danielle Ternes/Cybersecurity Dive; photograph by yucelyilmaz via Getty Images

Dive Brief:

  • There is no current evidence that a December attack by a state-linked threat actor targeting the U.S. Treasury Department workstations has impacted any other federal agency, the Cybersecurity and Infrastructure Security Agency said Monday. 
  • CISA said it is working closely with officials at the Treasury Department and BeyondTrust to fully mitigate and understand the impact of the attack, which has been attributed to threat actors linked to China. BeyondTrust notified Treasury officials last month that a threat actor stole a key used to provide cloud-based remote technical support to end users at the department.
  • Meanwhile, BeyondTrust said it is close to finishing a forensic investigation of attacks against a limited number of RemoteSupport SaaS customers who were targeted in the attack spree, in an updated blog post. The company said all SaaS instances have been fully patched and no additional attacks have been reported.

Dive Insight:

The investigations indicate any immediate threat appears to have been contained, however questions remain about how the attacks specifically took place and what the long-term impacts will be for federal agencies and other BeyondTrust customers.

BeyondTrust last month linked the December attacks against Remote Support SaaS customers to a compromised API key. The company immediately revoked the key, notified affected customers and suspended instances. 

Beyond Trust also pushed out a patch to all self-hosted instances. 

Treasury officials disclosed the attack on the agency workstations in a letter to the chair and ranking member of the Senate Committee on Banking, Housing and Urban Affairs. 

During an investigation with outside forensics experts, the company identified a critical command injection vulnerability, listed as CVE-2024-12356, and a medium-severity vulnerability, listed as CVE-2024-12686. CISA in December added CVE-2024-12356 to its known exploited vulnerabilities catalog. 

Neither BeyondTrust or federal officials have commented on whether the CVEs played a direct role in the attacks against the Treasury Department workstations. 

Researchers at Censys on Thursday said more than 8,600 instances of BeyondTrust Remote Support & Privileged Remote Access were exposed, but on Monday updated the blog indicating more than 13,500 were exposed after modifying its detection methods.  

A spokesperson for BeyondTrust emphasized the instances are visible, but that does not mean they are vulnerable. The spokesperson noted that all SaaS instances have been fully patched against the CVEs in the advisory and that patches have been pushed to all self-hosted instances.

Censys last week cautioned that all exposed instances were not necessarily vulnerable. The company on Monday told Cybersecurity Dive that customers using these particular products should manually check their devices to make sure they were accurately patched as they are visible on the public internet, including by threat actors.

Editors' picks

Company Announcements

View all | Post a press release
Medusind Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
Excelsior Orthopaedics Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
DigiCert Releases First-of-Its-Kind Open-Source DCV Library to Elevate Industry Standards
From DigiCert
December 18, 2024
American Trust Retirement Data Breach Investigation
From Migliaccio and Rathod LLP
January 07, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.